UK Companies House FIVE MILLION COMPANIES notified of a flaw in its WebFiling service

UK's Companies House, the official registry for over FIVE MILLION COMPANIES, has notified all registered companies about a serious security flaw in its WebFiling service.

The vulnerability, active since an IT update in October 2025 (potentially for up to six months), allowed logged-in users to access and potentially modify the private dashboards of any UK company, not just their own.

Key Details

• What happened: After logging into their own account and navigating to file documents, users could perform specific actions (e.g., pressing the browser's back button) to view or edit sensitive details of other companies. This included directors' personal information (such as home addresses, email addresses, and dates of birth), company details, and even the ability to change records or file accounts.
• Access requirements: Exploitation required a valid Companies House login (with authentication), so it wasn't open to the general public without an account. However, accounts are relatively easy to obtain, raising concerns about potential misuse by fraudsters worldwide.
• Impact: The flaw potentially exposed personal and corporate data for millions of directors and companies, enabling risks like identity fraud, company hijacking, or fraudulent filings.
• Response: Companies House took the WebFiling service offline on Friday, March 13, 2026, after being alerted (notably via reports from tax expert Dan Neidle and John Hewitt of Ghost Mail). It was restored by Monday, March 16, with the issue fixed. No evidence of password compromise has been reported, and it's described as a glitch/misconfiguration rather than a cyberattack.
• Official actions: Companies House has issued statements urging firms to check their records for unauthorised changes. They've referred the matter for further review and apologised to users. The flaw was likely introduced during a system update in October 2025.

This incident highlights ongoing challenges in securing government-linked systems handling vast amounts of sensitive business data.

IMPORTANT ISSUES TO ANSWER

• Saying the vulnerability "could only have been exploited by a logged-in user performing a specific set of actions" downplays the ease with which bad actors can gain a Companies House login.
• A five-month vulnerability = likely lots of people discovered it. Was it ignored or exploited?
• The vulnerability could have been used to modify company data and then engineer a fraud on that company or its commercial counterparties/lenders.
• It leaves open the question of whether Companies House actually can ascertain if the vulnerability was used to access or modify data. It's a critical question.

WHAT TO DO

• Companies are advised to log in (service is now back) and verify their details immediately.
• If you're a UK company director, check your records promptly via the official portal. For the most up-to-date info, refer to the GOV.UK link above.

Sources  

Here are the main reliable sources covering the incident:

1. Official Companies House statement (GOV.UK) – Update on Companies House WebFiling security issue https://www.gov.uk/government/news/update-on-companies-house-webfiling-security-issue (Published March 16, 2026 – Primary source from Andy King, Chief Executive)
2. BleepingComputer – UK's Companies House confirms security flaw exposed business data https://www.bleepingcomputer.com/news/security/uks-companies-house-confirms-security-flaw-exposed-business-data (Detailed technical coverage, mentions Dan Neidle's role in disclosure)
3. BBC News – Companies House security issue: UK firms urged to check details https://www.bbc.com/news/articles/c5y41p0dy1wo (Mainstream reporting on the glitch and urging checks)
4. Help Net Security – Millions of UK firms on alert after Companies House data exposure https://www.helpnetsecurity.com/2026/03/17/companies-house-webfiling-service-vulnerability (Cybersecurity-focused analysis, notes October 2025 update as likely cause)
5. Tax Policy Associates (Dan Neidle's blog) – Companies House vulnerability enabled company hijacking
1. https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-directors-addresses (Original discovery details from the researcher who helped expose it)
2. https://www.linkedin.com/posts/danneidle_companies-house-has-now-alerted-all-five-activity-7439732613138993153-DcBO?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAA_6EIB0wPAWyjQcuq_XiD3asUV8xpMeZ0
6. Financial Times – Companies House says system update is probable cause of security breach https://www.ft.com/content/631f0ffe-90c1-4c13-ac4d-19e61c0f11f3 (Business perspective on the ongoing investigation)
7. City A.M. – Companies House admits security failure was live for six months https://www.cityam.com/companies-house-admits-security-failure-was-live-for-six-months (Highlights duration and apology)
8. Daily Mail – Companies House closed temporarily after glitch allowed people to edit firms' details https://www.dailymail.co.uk/news/article-15644643/Companies-House-closed-temporarily-glitch-allowed-people-edit-firms-details.html (Broader media coverage)